Kraken Ransomware Masquerades As Legit Software

A ransomware program named Kraken Cryptor is disguised as the popular anti-malware program, SuperAntiSpyware. Users are being tricked into installing what they think is anti-malware protection but which is really a wicked app that encrypts their data and demands money in exchange for the key to decrypting it. Here's how to avoid traps like this...

The Kraken Has Been Released!

In legend and lore, the Kraken is a terrifying beast that can wreak havoc on humanity. On the Internet, it's pretty much the same, but without all those teeth and tentacles.

It's bad enough that ransomware exists, but it's really bad when it pretends to be something good. Somehow, the malicious purveyors of Kraken Cryptor managed to invade SuperAntiSpyware.com and serve up ransomware instead of the anti-malware program that users expected. This is a bad guy’s fondest dream and the worst nightmare of users and anti-malware developers.

Kraken Cryptor is “malware as a service,” a program maintained on a central server and called by Javascript code planted in a web page. It can attack from any page that is vulnerable to code injections from third-party bad actors. There are many such pages. There are plenty of malicious “script kiddies” who need few technical skills to plant Kraken Cryptor in your favorite website's home page.

Kraken Cryptor first appeared on security researchers’ radar in August. MalwareHunterTeam, a group of security researchers, has been tracking Kraken Cryptor since then. The team discovered the disguised version 1.5 of Kraken Cryptor at SuperAntiSpyware’s site on September 14, 2018, and sounded the alarm in a series of Tweets.

Kraken Cryptor even displays the same thumbnail icon as the real SuperAntiSpyware. It's possible that the authors of Kraken Cryptor did one small good deed, but it may just as well have been a mistake. The legitimate installation file for SuperAntiSpyware is named SUPERAntiSpyware.exe. The disguised Kraken Cryptor installation file is named SUPERAntiSpywares.exe. The only difference apparent is the addition of a letter “s” at the end of the filename.

Kraken is Still On the Loose

It is important to note that Kraken Cryptor is a “new improved” variant of plain old Kraken malware, which is not ransomware. It’s easy to confuse the two. Also important: avoiding Kraken Cryptor is NOT as simple as staying away from SuperAntiSpyware.com.

If you downloaded the legitimate installer (without the “s” at the end) then you are safe; Kraken Cryptor has not infiltrated that file. The legit installer will install Super AntiSpyware as expected. A statement from SuperAntiSpyware.com says that the rogue file was somehow uploaded to their download server, but it was "discovered and removed within several hours." Kraken Cryptor is now being distributed by "affiliates" using an exploit kit that can be used to host the ransomware on compromised websites.

Curiously, Kraken Cryptor checks the language and location of the target computer and will not encrypt machines located in certain countries; those nations are Armenia, Azerbaijan, Belarus, Estonia, Georgia, Iran, Kyrgyzstan, Kazakhstan, Lithuania, Latvia, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, and Brazil. Yes, you could immunize your PC by moving to Kazakhstan, or changing your location setting to one of the “exempt” nations. But if you do not read and write that nation’s language, it won’t do you any good.

The ransom demanded by Kraken Cryptor is one-eighth (0.125) of a Bitcoin. The price of a Bitcoin fluctuates wildly but as I type this the ransom is about $800 USD.

Kraken Cryptor takes multiple steps to make it impossible to decrypt one’s hostage data without paying the ransom. The only free recovery hope is a recent clean backup copy of your data. You could pay the ransom, but I advise against doing so.

First, there is no guarantee your data will be decrypted if you pay. The promise of a crook is worthless. It would make more sense, from the crook’s perspective, to demand even more money once it is determined that you are willing and able to pay. Second, paying a ransom encourages more ransomware. You could become known as an easy mark, and the target of multiple extortionists.

Protecting Against Kraken and Other Forms of Ransomware

Instead, protect yourself against ransomware by a) maintaining current, tested backups of all your important data. My ebook Everything You Need to Know About BACKUPS will get you started on the road to painless, automatic backups that are immune to ransomware infection.

Another idea is to use security software that monitors the behavior of all running programs, and blocks any action that might lead to encryption before actual harm is done. MalwareBytes Anti-Malware is one paid security suite that has this “behavior analysis” feature.

But there's an even better option. Instead of relying on "blacklists" of known viruses, and giving potentially rogue programs a chance to test their mettle against your security software, why not block ALL programs from running, unless they are known to be legit? That "whitelist" approach is implemented in PC Matic's SuperShield, which only lets known good programs run on your computer. You can read about it in my article PC Matic - An Overdue Review.

Have you been sucker-punched by ransomware? If so, how did you handle it? If not, do you think you are vulnerable? Your thoughts on this topic are welcome. Post your comment or question below...

Most recent comments on "Kraken Ransomware Masquerades As Legit Software"

Posted by:
snert
15 Oct 2018

why would anyone, install something they know absolutely nothing about...when it comes to my computer, i'm very wary about installing anything, especially if it's free...i've gotten emails and calls, stating i have outstanding debts, but never return their calls, instead if it catches my attention, i'll call the company i did business with, or else i just delete!!!

Posted by:
Mark H.
15 Oct 2018

Haven't been hit by ransomware as I limit what programs I run. I download the .exe files and run scans on them before running. I keep my AV definitions up to date. Also, I run daily backups on my computers and I use OneDrive. So, if something happens I can recover.

Posted by:
Jeff Ferguson
15 Oct 2018

BitDefender Total Security 2019 will also monitor for such malware and will prevent encryption.

Posted by:
Jerry Barnes
15 Oct 2018

VoodooShield uses the whitelist method, stopping any unknown program, alerting you and lets you decide whether to allow or not. I've been using it for a few months. Very little overhead and it has worked perfectly.

Posted by:
Jerry Barnes
15 Oct 2018

BTW: I also have MalwareBytes Anti-Malware Pro running.

Posted by:
Stuart Berg
15 Oct 2018

Bob,
I'm curious why you never mention other "whitelist" malware protection software. For example, https://voodooshield.com/ is excellent software and comes in free (for non-commercial home use) and paid versions. There may be others, but I know from using it that VoodooShield is excellent.

Posted by:
Michel Cote
15 Oct 2018

Can an external drive with automatic backup be affected by a ransomeware

Posted by:
Coco
15 Oct 2018

Michel,

Yes it can, if it is attached to the PC while the ransomware is running. Best case - plug in the external drive while needed to run the backup and then unplug it from the PC when completed. Anything that can be seen by file explorer can be seen by the ransomware. HTH

Posted by:
Robin
15 Oct 2018

I've been using Zonealarm Extreme for years and have never had a problem with anything including ransomware.

ZA Extreme never seems to be reviewed or discussed in tech media, but it's a good program.

Posted by:
Mark M.
16 Oct 2018

Alas, 2+ years ago I was hit with a locked up computer and subsequent direction to have "windows" called to address it. Not knowing any better, I paid the fee ($200.) and had them "fix" my system and paid with a credit card. It seemed to work.
6 mo. later my hard drive failed and I purchased a completely new system. My credit card had an
unrelated "hack" and was replaced. I learned a lot and have installed MalwareBytes, Hitman Pro, and Viper (have a lifetime subscription) along with PrivaZere for clean up. I know that running several antivirus can conflict and slow down running, but I have not experienced any problems.
I get phone calls several times a month from the crooks, alerting me to error messages and they need to help me fix them. I even had and still get ones offering to refund my repair bill as they are going out of business, but need to remove their software from my system. Needless to say, I have fun with talking to them, as I learned my lesson and No one is getting remote access to my computer, except the MFG./ Dell and only at my request. I have 2 SSD drives for back up that are not connected unless I am backing up. Fool me once, .....

Posted by:
Mark M.
16 Oct 2018

Alas, 2+ years ago I was hit with a locked up computer and subsequent direction to have "windows" called to address it. Not knowing any better, I paid the fee ($200.) and had them "fix" my system and paid with a credit card. It seemed to work.
6 mo. later my hard drive failed and I purchased a completely new system. My credit card had an
unrelated "hack" and was replaced. I learned a lot and have installed MalwareBytes, Hitman Pro, and Viper (have a lifetime subscription) along with PrivaZere for clean up. I know that running several antivirus can conflict and slow down running, but I have not experienced any problems.
I get phone calls several times a month from the crooks, alerting me to error messages and they need to help me fix them. I even had and still get ones offering to refund my repair bill as they are going out of business, but need to remove their software from my system. Needless to say, I have fun with talking to them, as I learned my lesson and No one is getting remote access to my computer, except the MFG./ Dell and only at my request. I have 2 SSD drives for back up that are not connected unless I am backing up. Fool me once, .....

@bb - I don't see a 'Windows security' under Update&Security. Using Windows 10 Home).

Posted by:
Wolfgang
16 Oct 2018

Great article! My intention is to keep my computers as cyber-fortresses. This is why I have Super-Antispyware, Malwarebytes-Antimalware, Zonealarm, Spybit-Search&Destroy, and other Geek security software. I also agree that Microsoft does NOT make it easy. Regarding my files, I have several back ups of everything. Regarding software downloads, I scrutinize EVERYTHING! An example is Adobe Flash Player, which I have set to inform me that a download is imminent. In case all of the above fails, I will NEVER pay any ransomware huckster! I will instead format the hard drive, reinstall the operating system, restore the partitions, restore the backups, and start fresh, after secure wiping the free space. Thank you!

Posted by:
Frank
16 Oct 2018

I always use Sandboxie to visit the internet where any files used within it,naughty or otherwise, can be deleted without them getting access to my main computer files. I am under the assumption that this is a complete safeguard - am I wrong? However, I have also cleared the check boxes on the "remote" tab of the system properties in the Control Panel which prevents the remote use of my computer in any case.

Post your Comments, Questions or Suggestions

* Name:
* Email:
(* = Required field)

(Your email address will not be published)

Comments: (you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.